Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Augmented Marauder / Water Saci multi-pronged phishing campaign targeting Latin America and Europe

Campaign
First reported
Last updated
Happening score
H score 40
1 unique sources, 2 articles

Summary

Hide ▲

Water Saci is actively evolving a WhatsApp Web worm in Brazil that uses HTA and PDF lures to deliver a banking trojan. The latest wave shifts from PowerShell to a Python-based propagation script that spreads through trusted contacts on WhatsApp Web, helping the campaign bypass conventional controls and increase infection rates. Trend Micro says the chain may have been ported with help from an LLM/code-translation tool. The malware uses AutoIt, executed.dat, and command-and-control domains including manoelimoveiscaioba[.]com and serverseistemasatu[.]com to support persistence, reconnaissance, and remote control.

Related Happenings

TCLBANKER banking trojan activity targeting 59 financial platforms

Malware Activity
First: 08.05.2026 21:12 Last: 08.05.2026 21:12 Sources 1

About this happening: **TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...

Open Happening

Code of conduct-themed Microsoft AiTM phishing campaign

Campaign
First: 05.05.2026 09:35 Last: 05.05.2026 09:35 Sources 1

About this happening: A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...

Open Happening

Amazon SES phishing and BEC abuse campaign

Campaign
First: 04.05.2026 23:03 Last: 04.05.2026 23:03 Sources 1

About this happening: A phishing campaign is abusing Amazon Simple Email Service (SES) to send convincing emails that can bypass standard authentication and reputation-based defenses. Attackers are usi...

Open Happening

Silver Fox tax-themed phishing campaign delivering ABCDoor and ValleyRAT

Campaign
First: 04.05.2026 14:57 Last: 04.05.2026 14:57 Sources 1

About this happening: **Silver Fox** is running a **tax-themed phishing campaign** that now targets **India** with **Income Tax Department** lures and delivers **ValleyRAT (aka Winos 4.0)**. The campai...

Open Happening

JanelaRAT malware activity targeting Latin American banks

Malware Activity
First: 13.04.2026 20:15 Last: 13.04.2026 20:15 Sources 1

About this happening: **JanelaRAT** continues targeting **Latin American banks and financial institutions**, with telemetry showing **14,739 attacks in Brazil** in **2025** and **11,695 in Mexico**, ra...

Open Happening

Timeline

  1. 01.04.2026 15:36 2 articles · 1mo ago

    Augmented Marauder / Water Saci phishing campaign targets Latin America and Europe

    Campaign Scope Update

    Augmented Marauder / Water Saci are running a multi-pronged phishing campaign against Spanish-speaking users in organizations across Latin America and Europe, using email, WhatsApp, and ClickFix paths to deliver Casbaneiro (Metamorfo) through Horabot and to harvest Outlook contacts for further phishing.

    Show sources
    Open in new tab
  2. 01.04.2026 15:36 2 articles · 1mo ago

    Phishing chain uses PDF lure, HTA/VBS payloads, and AutoIt loaders

    Technical Analysis Update

    The delivery chain starts with court summons-themed phishing emails that push a password-protected PDF, a malicious link, and an automatic ZIP download before executing HTA and VBS payloads; the VBS stage performs anti-analysis checks, retrieves AutoIt-based loaders, and launches encrypted payloads that load staticdata.dll for Casbaneiro and at.dll for Horabot, including a remote PHP API at hxxps://tt.grupobedfs[.]com/.../gera_pdf.php for dynamic PDF generation.

    Show sources
    Open in new tab